Developers: | Positive Technologies |
Date of the premiere of the system: | 2016 |
Last Release Date: | 2024/05/15 |
Technology: | IS - Firewalls |
Main article: Firewall
2024
Support for ABV and Energomeres protocols
The updated version of the PT Industrial Security Incident Manager deep traffic analysis system simplifies information security control of large distributed production structures. PT ISIM has features that speed up the delivery of risk rules and indicators, as well as improve the ease of system administration. In addition, support for the ABV and Energomers protocols was added to the product to identify dangerous commands and anomalies. Positive Technologies announced this on May 15, 2024.
PT ISIM Overview Center can now automatically download PT ISTI updates from Positive Technologies servers (Positive Technologies expert rule bases for identifying threats to industrial infrastructures) and distribute them over secure channels to all connected PT ISIM sensors. This allows users to immediately gain access to up-to-date information about attacks and how to identify them, "said Ilya Kosynkin, head of product development for the security of industrial systems at Positive Technologies. |
In the updated version, the user can enter any PT ISIM sensor in the hierarchy using the MaxPatrol SIEM account. To do this, configure the PT ISIM Overview Center and all PT ISIM sensors to be integrated with the PT Management and Configuration (PT MC) module. And if PT MC is integrated with Active Directory, then you can log in under a domain account to all connected PT ISIM sensors.
PT ISIM 4.5 can now differentiate access to the PT ISIM Overview Center features between SOC analysts and IT administrators. It became possible to connect sensors installed in several independent organizations or subsidiaries to one PT ISIM Overview Center console. All users will be able to work on a shared server, but they will only have access to data from their organization's sensors.
PT ISIM 4.5, along with the added expertise package, also introduced support for the ABB and Energomers protocols. In particular, support for the protocol of the CE_A company Energomer, the leader of the Russian market for electricity metering devices, allows you to detect attempts to exploit vulnerabilities in its information CE805M collection and transmission device.
Add an expertise package with support for five industrial protocols
The PT Industrial Security Incident Manager (PT ISIM) deep process traffic analysis system has added an expertise package with support for five industrial protocols. Four of them are used in the equipment of ABB, one of the manufacturers of APCS, and one in the devices of Energomera, the leader of the Russian market for electricity metering devices. Now PT ISIM can detect even more dangerous technology commands and anomalies that signal the activity of intruders in a timely manner. Positive Technologies reported this on April 26, 2024.
Industrial companies are among the top three most common targets for cyber attacks. To penetrate the infrastructure and bypass information protection tools, attackers can use the standard capabilities of process control systems, so it is important to analyze the executed commands in a timely manner. In this examination package, we disassembled operations in five industrial protocols. This will help identify cyber threats before attackers have time to inflict significant damage on the company, "said Anton Baev, head of the industrial systems research group, Positive Technologies. |
This examination allows PT ISIM to track commands for setting up and interacting with ABB MicroSCADA APCS system, ABB Freelance CAS and operations with ABB programmable logic controllers (PLCs), including attempts to hack an account using login and password matching (brute force), making changes to the PLC own database and emergency shutdown of devices. In addition, with the help of a new examination package, the product now identifies the exploitation of dangerous vulnerabilities in CVE-2023-0425 and CVE-2023-0426 in controllers such as AC 900F and AC 700F - these security flaws were previously discovered by Positive Technologies experts.
The protocol CE_A created by Energomer. It provides information exchange between the data collection and transmission device (DRC) and the power metering systems - AICMS. DRC is used to account for energy resources and is installed at substations, in distribution boards of industrial enterprises, residential and office buildings. The update of the expertise allows you to identify events related to the accounting, processing, storage and transfer of information, as well as with the control of the automation object and control of its state.
The submitted examination package is available to all users of PT ISIM 4.4 and higher.
Expansion of DeltaV DCS support from Emerson and addition of 3000 threat indicators
Positive Technologies on January 17, 2024 released an expertise package for the PT Industrial Security Incident Manager (PT ISIM) deep technology traffic analysis system. The product has expanded support for Emerson's DeltaV Distributed Control System (DCS). Now PT ISIM detects more information security events and allows even more effective protection. The product includes over 3000 rules for detecting current cyber threats, all of which have detailed descriptions that help information security specialists quickly analyze events and incidents.
The updated review package includes an in-depth analysis of the protocol for the management and exchange data of the Emerson DeltaV DCS. PT ISIM analyzes controller control commands and process parameters (system and diagnostic tag values) that are transmitted on the industrial network. This allows the system to detect more information security events that can signal about. In cyber attacks particular, PT ISIM records the DCS controllers switching to debug mode, changing the blocking state, loading the control firmware into the controller. In addition, PT ISIM can detect suspicious actions of controller modules management and its operation via vulnerabilities Telnet network protocol and DeltaV proprietary DCS protocol.
We have disassembled operations in a proprietary protocol for managing and exchanging DCS DeltaV data, and now PT ISIM understands how devices interact with each other, which commands are used and in which cases it is unsafe, "said Roman Ostashkin, an expert in the study of industrial systems Positive Technologies. - Some information security events do not occur so often in the infrastructure, but they can entail significant damage. Therefore, they need to be analyzed in a timely manner, and here monitoring of standard operations will be useful - around them hackers can build attack vectors and ways to bypass information protection tools . The information security events that we disassembled in the new examination package, as well as the updated database of attack detection rules, will help to eliminate threats to industrial companies in a timely manner. |
An important change in the examination package is the update of the signature database to detect security violations. PT ISIM has more than 3,000 indicators of current threats to industrial enterprises. Detailed descriptions have been added to them, which simplify the work of specialists and allow them to immediately get a complete understanding of product triggers. In addition, 2,000 legacy signatures have been removed from the database.
Updates include the ICMP tunnel detection rule. ICMP is often allowed on firewalls. With it, attackers can bypass information protection tools to establish communication with control servers, withdraw data from the technological network, or inject malware into the infrastructure. The added rule will allow you to detect the misuse of the protocol early.
The updates also affected existing signatures, in particular the ARP Spoofing attack detection rule. This is a network attack on the ARP protocol; hackers use it to intercept data that is transmitted between devices. This rule is less dependent on the company's infrastructure and works more accurately.
The updated expertise package is available to all PT ISIM 4.4 and higher users.
2023
PT Industrial Security Incident Manager 4.4 with advanced control of network communications on digital power facilities according to the standard MEK-61850
The PT Industrial Security Incident Manager 4.4 Deep Process Traffic Analysis System now includes advanced control of network communications on digital power objects according to the MEK-61850 standard. The product has a microView Sensor, which is installed on compact industrial PCs and is designed for use in small automation facilities: 6-10 kV substations, thermal stations, workshops and engineering systems of data centers and buildings. The user interface has also been simplified. This was announced on November 29, 2023 by Positive Technologies (Positive Technologies).
PT ISIM implements advanced control of digital communications according to the MEK-61850 standard. It is used in the electric power industry to describe a reference automation system in the design of digital substations and other power facilities. The product can detect abnormal network connections, failures and communication errors using the MMS and GOOSE protocols, indicating improper operation, incorrect equipment configuration or attempts to compromise devices.
MicroView Sensor is a simplified version of the NetView Sensor, "said Ilya Kosynkin, Head of Industrial Security Product Development, Positive Technologies. - In this sensor, the same functionality as in other versions, except for registering and storing the entire event stream, only key ones are recorded. Thanks to this, the cost of the product has decreased. In addition, the updated hardware requirements make it possible to use the system on inexpensive fanless industrial PCs. |
The updated version of PT ISIM has improved the mechanism for manually combining and disconnecting nodes in the network diagram. The algorithm for automatically combining interfaces into nodes has changed significantly: now it works more stable in networks with a complex structure. The algorithm changes the existing network diagram only when new interfaces are identified, so as not to make changes where the user has already adjusted everything manually.
In the Overview Center, it became possible to open a single list of incidents on one screen, hiding the geographical map. The move to a detailed investigation of the incident at PT ISIM has also been made easier.
Upgrade of previous versions is now completely centralized for all supported operating systems - manual update of additional modules is not required.
Expansion of Emerson and GE Fanuc Controller Support
Positive Technologies released an expertise package for the PT Industrial Security Incident Manager (PT ISIM) deep technology traffic analysis system on July 31, 2023. The upgrade improves GE Fanuc (Emerson) GE-SRTP, detects additional FINS commands in OMRON controllers, and tracks the transmission of automation configurations on the network. In addition, more than 640 signatures have been added to the package to detect malware (Trojans and ransomware) and security policy violations.
GE-SRTP, developed by GE Fanuc, is designed for network communication between GE Fanuc controllers and engineering software (Proficy Machine Edition), SCADA systems and OPC servers. The updated ISIM PT Review Package enables information security monitoring professionals to respond to incidents involving GE-SRTP interactions with controllers. Updated rules and events track changes in access privilege status and level, time setting, hardware and software configuration loading and unloading, and forced values on controller inputs and outputs.
In addition, the package has added rules and events for Wonderware InTouch (Schneider Electric), SIMATIC WinCC (Siemens), CENTUM VP (Yokogawa Electric), TRACE MODE (AdAstra), MasterSCADA 3 and MasterSCADA 4D (MPS software ). They record file transfers of automation system configurations on the network.
Tracking network-based configuration changes to automation systems enables early detection of interventions. Changing files can lead to incorrect display data and to the inoperability of the SCADA system as a whole, "said Sergey Shchukin, an expert on industrial systems research at Positive Technologies. - It is important to detect external and internal intruders during the initial stage of the attack in order to stop their progress in the internal perimeter and prevent the incident from happening again. |
In 2023, Positive Technologies discovered a vulnerability in the OMRON CP1L series controllers that allows attackers to modify arbitrary areas of the device's memory using the FINS protocol. PT ISIM finds the use of undocumented data read and write commands. This avoids consequences such as complete denial of service or arbitrary code execution.
PT ISIM is part of the PT Industrial Cybersecurity Suite (PT ICS) comprehensive platform for protecting industrial infrastructures and ensuring production cyber resilience, so PT ICS users will also receive these and other examination packages and updates.
Loading of examination package for detection of attacks on SCADA Trace Mode 6
Positive Technologies on April 12, 2023 announced that it had supplemented the PT Industrial Security Incident Manager deep technology traffic analysis software and hardware with an expertise package to identify attacks on SCADA TRACE MODE 6, one of the SCADA systems developed by AdAstra. The update allows you to identify unauthorized work with a real-time monitor (MRI), connection to TRACE MODE 6 in SPY mode (using a remote distributed project debugger) and manipulation of attackers with PLC [2]. This helps detect cyberattacks in the early stages and prevent them from happening again.
This PT ISIM examination package will be useful for Russian companies to fulfill the requirements of regulators: since 2025, government organizations are required to use exclusively domestic software at critical information infrastructure facilities.
The PT ISIM update has expanded the ability to detect potentially dangerous actions performed from remote computers, and now with the help of new rules you can detect:
- Unauthorized work with a real-time monitor. The product allows you to track the connections of cybercriminals to a working SCADA system and detect the fact of illegitimate installation of IDE TRACE MODE on automated workstations of APCS operators.
- Connections to TRACE MODE 6 in SPY mode. PT ISIM recognizes connections to the MPV in tracking mode, and also allows you to see what actions were performed by the attackers.
- Impact of intruders on PLC based on Micro TRACE MODE actuator module. PT ISIM detects the fact of obtaining illegitimate access to the PLC and prevents process disruption.
Attackers are able to install malware using remote computers that are outside the attention of information security experts and pose a particular threat to the enterprise. By penetrating the internal perimeter of the network, hackers can replace the data that the operator sees on mnemonic diagrams, or execute an illegitimate command, which will lead to an abnormal mode of operation of the ICS, "said Ilya Kosynkin, head of the PT ISIM product. - It is important at an early stage to identify where the impact was made and what steps were taken by third parties. With this data, information security specialists can prevent a second attack and take the correct measures to restore the correct operation of the APCS. |
{{quote "Identification of actions of intruders in technological networks helps to prevent occurrence of emergency situations and emergency modes. AdAstra and Positive Technologies are technology partners and actively share experiences. This examination package allows you to detect potentially dangerous impacts that are not visible to maintenance personnel. Thus, you can counteract hackers already in the early stages of the attack, - said Vladimir Karandaev, head of technical support at AdAstra. }}
PT ISIM 4.3 with 1000 Industry Threat Indicators added
Positive Technologies on March 14, 2023 introduced PT ISIM 4.3, an updated version of the system for deep analysis of technological traffic.
We strive to ensure that PT ISIM users can use the full scope of expertise to detect attacks on technological equipment immediately after the implementation of the solution, "said Ilya Kosynkin, head of the PT ISIM product. - The emerging capabilities of the product to create and use its own attack detection rules will allow you to supplement it with your expertise. Moreover, service providers with local teams of experts will be able to offer better services and services due to the possibility of expanding the "boxed" rule base with their own content. |
PT ISIM 4.3 adds more than 1000 industrial threat indicators (6,300 as of March 2023) and more than 15 additional industrial protocols. Now the product supports the analysis of MELSOFT protocols designed to interact engineering software (GX Works) with compatible Mitsubishi Electric controllers . In addition, PT ISIM users will be able to parse the HiDiscovery protocol in Hirschmann equipment, including detection of network scanning and attempts to change network parameters. The ability to analyze the Windows remote service control protocol using standard tools (via MS-SCMR/SVCCTL), as well as protocols that had previously been released as updates to the PT ISTI industrial threat indicator database, was also added.
Another important change is due to the ability to install the current versions of PT ISIM on the latest versions of the domestic operating system Astra Linux Special Edition 1.7. PT ISIM version 4.3 also supports installation on the Debian 10 operating system. This is the recommended operating system for new product installations in projects where there are no requirements for the use of Russian operating systems.
In the updated version of PT ISIM, you can also configure automatic change of incident hazard levels depending on the type of infrastructure. On nodes associated with the implementation of unacceptable events, incidents can have an increased level. On the other hand, at nodes that are less interesting to a specialist monitoring the process network (for example, on units that have not been put into operation), the level of danger may decrease. It will also be important for information security monitoring specialists that there is an opportunity to manually increase the significance of the incident during the investigation: this will allow not to lose the incident among other events.
PT ISIM is part of a comprehensive platform for detecting cyber threats and responding to incidents in PT Industrial Cybersecurity Suite (PT ICS) industrial systems, so PT ICS users will also receive these and other examination packages and updates.
2022
Supplement with expertise package supporting Mitsubishi Electric protocols
On December 6, 2022, Positive Technologies announced the addition of the PT Industrial Security Incident Manager (PT ISIM) software and hardware complex for deep analysis of technological traffic with an additional examination package. The update provides enhanced support for the Mitsubishi Electric family of protocols.
"Mitsubishi Electric is in the top 3 in the global industrial automation solutions market. The equipment of this company is also widely represented at Russian enterprises. To ensure interaction between components within the Mitsubishi Electric ecosystem, a proprietary protocol stack is used that works on various transports. We have added support for the MELSOFT protocol to this examination package and expanded support for SLMP, "said Ilya Kosynkin, Head of Product Development at PT ISIM. |
SLMP (abbreviation for SeamLess Message Protocol) is an application protocol for ensuring interaction between controllers, SCADA systems, peripherals and other technological equipment. Since SLMP service functions can significantly affect the safety and correctness of the process, the PT ISIM will work on the most important of them in the event of an incident. Using this examination package, the hardware and software complex will help determine, for example, stopping the PLC and entering initialization mode, turning on and off the password or changing the file system.
The MELSOFT protocol serves to communicate between engineering software (GX Works) and compatible Mitsubishi Electric controllers. As part of the protocol study, Positive Technologies specialists discovered vulnerabilities in the MELSEC series PLC associated with incorrect processing of input data. CVE-2022-25161 leads to a denial of service when writing data to memory with a specially selected offset. The examination package allows PT ISIM to disassemble the MELSOFT protocol, calculate potentially dangerous offsets and report the threat to the operator. Another vulnerability, CVE-2022-25162, is also related to denial of service and inability to access PLCs on service ports. This examination package allows you to check the data recorded using the MELSOFT protocol. In case of an attempt to exploit the vulnerability, PT ISIM will record the incident, notify the operator and send the event, for example, to MaxPatrol SIEM or IRP systems.
The expertise package is available for PT ISIM 4.1 and newer versions. Product users connected to the update server will be able to automatically download and install it, and manual updates are provided for isolated installations. To do this, you must download and install the package yourself in PT ISIM.
Ability to download the APCS protocol detail
PT Industrial Security Incident Manager (PT ISIM) advanced its capabilities. Users of PT ISIM 4.1 and higher, connected to the Positive Technologies update cloud, can now download not only indicators of industrial threat compromise, but also a detection of APCS protocols. Positive Technologies announced this on September 8, 2022.
Threats and trends vulnerabilities appear extremely often, so it is important to update the expertise in products between transitions to subsequent releases, "said Ilya Kosynkin, head of development at PT ISIM. - Previously, PT ISIM had the ability to receive updates to detection rules and compromise indicators for ASU TP, and now the analysis of protocols without sending and setting parameters manually has been added. Connecting PT ISIM to servers bases to the PT cyber threats ISTI (PT Industrial Security Threat Indicators) allows you to quickly, seamlessly and automatically update the rules for detecting current threats, as well as expand the set of supported protocols. |
The PT ISIM examination package includes additional mechanisms for detecting threats in hardware, Siemens Hirschmann,, Yokogawa Rockwell Automation as well as detecting attacks in. operating system Windows For example, there is support for the HiDiscovery protocol for Hirschmann devices. It allows you to detect network scans and attempts to change network parameters. In addition, the support for individual functions communications of the Siemens SIMATIC S7 protocol related to debug modes of operation and loading of software logic has been expanded.
The team of the Positive Technologies Security Center (PT Expert Security Center) regularly examines threats, including in industrial systems. When new attack methods appear, experts interact with the PT ISIM team, which prepares sets of threat detection rules, compromise indicators and mechanisms for detailed analysis of protocols. They, in turn, become available to all users of the product. Thus, PT ISIM regularly receives a set of compromise indicators that, not in theory, but in practice, deserve the close attention of information security specialists. For example, in the case of Hirschmann devices, Positive Technologies experts discovered attacks in which the High Discovery utility was used to change the configuration of equipment on the network. This tactic was added to the updated PT ISIM examination package.
In addition, PT ISIM has received updates to the threat detection mechanisms that allow:
- detect cases of remote control of Windows services using standard operating systems tools from Microsoft (for example, through MS-SCMR, aka SVCCTL);
- Identify malicious Bvp47 tools
- Identify attempts to exploit CVE-2014-0781 (Yokogawa CENTUM CS 3000) and CVE-2020-12029 (Rockwell Automation FactoryTalk View SE) vulnerabilities.
The update is compatible with PT ISIM versions 4.1 and 4.2. In the latest assemblies of PT ISIM 4.2, the given examination package has already been installed. The package can be installed both over the network when connected to the PT ISIM cloud server and locally.
DICOM Network Protocol Support
PT Industrial Security Incident Manager (PT ISIM) Deep Process Traffic Analysis (PT ISIM) supports dissection and analysis of the DICOM network protocol used in, medical equipment including,, tomographs X-ray machines ultrasonic ultrasound scanners. PT ISIM now detects hardware configuration errors and traces of intruders data medical in facility transmission networks. This was announced on July 4, 2022 by the company. Positive Technologies
Digital Imaging and Communication in Medicine (DICOM) is a medical industry standard for the creation, processing, storage, transmission and visualization of digital medical images and patient examination documents. It is supported by major global manufacturers of medical equipment and equipment. The DICOM network protocol is used in communication networks and helps various devices (including terminals and storages) communicate with each other. In addition to graphic data, DICOM files contain special attributes that allow you to map patient-specific data to an image. The protocol, in turn, facilitates the search for patient data in the network of a medical institution or on specific diagnostic equipment.
According to Positive Technologies, medicine has been one of the top three priority targets for cybercriminals for more than four years. For example, in the first quarter of 2022, medical institutions took second place in the world in the number of attacks (11%), losing only to government agencies (16%). The main cyber threats for organizations in this industry are theft of confidential information and encryption of files, followed by a shutdown of medical systems and equipment. In the first three months of this year, medical data accounted for 15% of all information stolen by cybercriminals.
The lack of technical means of control and monitoring of network exchange is the main reason for the success of cyber attacks on medical institutions. In such conditions, attackers can freely develop an attack and remain unnoticed in the infrastructure, "said Dmitry Darensky, head of industrial cybersecurity practice at Positive Technologies. - As of July 2022, PT ISIM is the only specialized NTA solution in Russia that takes into account the specifics of medical information systems. Positive Technologies' deep traffic analysis system detects the transfer of suspicious and malicious files, detects incidents in the networks of medical institutions, and also allows retrospective analysis of network events. The joint use of PT ISIM with systems of the EDR (endpoint detection and response), SIEM (security information and event management) and Vulnerability Management class will make it possible to qualitatively increase the degree of security of medical institutions and make unacceptable events impossible for them. |
The need for a product with technical capabilities that allow detecting the DICOM protocol, through which critical patient files and medical data are transmitted, is emphasized at the A. N. Bakulev National Medical Research Center for Cardiovascular Surgery, an institution in Russia that is one of the first to introduce digital technologies for the treatment of patients.
Making decisions quickly and prescribing the necessary treatment is very important. The results of diagnostic studies of patients are almost instantly available to specialists in any medical institution in the country, - said Dmitry Yuryevich Yushkov, head of the information security service for automated systems and process control of the Federal State Budgetary Institution "N.N. Bakuleva National Medical Research Center of the Ministry of Health of Russia. - As well as the availability of medical data, it is crucial to ensure the reliable operation of medical equipment. The networks of medical institutions are constantly becoming more complicated, policies and configuration settings of equipment are dynamically changing. It is difficult to ensure the necessary level of security of clinics without specialized security monitoring tools, and in some places it is no longer possible. |
PT ISIM 4. Helping Identify and Investigate Cyber Attacks on Technology Infrastructures
On March 31, 2022, Positive Technologies introduced an updated version of the PT Industrial Security Incident Manager (PT ISIM) deep industrial traffic analysis system. Among the main changes are the automated construction of an incident graph (an attack development chain), the ability to manage built-in rules and fine-tune the product for the company's infrastructure, as well as increased performance.
Positive Technologies estimates that industrial enterprises continue to be one of the main goals of hacker groups. At the same time, according to the results of security analysis projects, in 91% of industrial organizations, an external attacker can penetrate the corporate network, and in 56% of cases - get to process control systems. Stopping and timely neutralizing hackers is not easy due to the lack of qualified specialists who understand the specifics of protecting technological networks, as well as due to the low speed of introducing additional measures at enterprises. Under these conditions, systems for deep monitoring of technological traffic (industrial NTA and NDR systems) come to the fore, which can be quickly deployed to increase the security of the technological network.
"PT ISIM 4 allows you to identify the sequence of actions of intruders on the network and record an attack at every stage, and not just track individual notifications, as, for example, ordinary IDS do. Thus, the product allows information security specialists to answer questions faster: is there now an attacker in the APCS network? Where did he get to? So, to solve the main problem: how to stop it, " narrated by Ilya Kosynkin, PT ISIM Product Manager, Positive Technologies |
PT ISIM 4 includes an incident management mechanism based on ranking the assets of the technology network by the degree of their criticality, which is determined for a particular company. Combined with automated plotting of the incident graph, this makes it possible to quickly determine the direction and stage of the attack and proactively assess its consequences.
In addition, PT ISIM has expanded the ability to configure and adapt the product for infrastructure.
"The implementation of a traffic analysis product is always about fine tuning, which should take into account enterprise security policies as well as the technological features of the systems whose traffic it analyzes. Despite the extensive possibilities for automatic training, in the technological environment there is always a possibility of false positives that need to be processed correctly without reducing the level of security. PT ISIM 4 has additional capabilities for managing built-in rules that allow you to quickly and granularly perform such a configuration. As a result, the information security specialist receives only the necessary information about what is happening on the network, as clean as possible from the "noise," and can focus on finding real traces of the attacker, " comments Roman Krasnov, Head of Information Security at Industrial Enterprises Positive Technologies |
Updated the PT ISTI industrial threat indicator databases and added support for industrial protocols, including Alpha.Server Configurator, ANSL B&R (), Bachmann RPCTCP,, DICOM FINS (), Omron INA2 (B&R), INA2000 (B&R), Phoenix, DIGSI Siemens 4, SLMP (), DK Mitsubishi Electric Course-2 and ELNA. Updated and parsed protocols ADS, CIP,. OPC UA
The PT ISIM 4 passive monitoring architecture, as in previous releases, eliminates any undesirable impact on the process. The product ensures full compliance with the requirements of the legislation (Federal Law No. 187-FZ, Orders FSTEC No. 31 and 239, requirements). State system of detection, prevention and elimination of consequences of computer attacks
2021
Download an expert review package to detect attempts to exploit vulnerabilities in WAGO PLC and CoDeSys software
The PT Industrial Security Incident Manager (PT ISIM) deep industrial traffic analysis system has added an expertise package to detect attempts to exploit vulnerabilities in the WAGO PLC and the company's industrial automation software used CoDeSys software by many foreign the Russian and controller manufacturers. This was announced on September 1, 2021 by the company|Positive Technologies Updated rules allow you to detect attempts by attackers with high privileges file to the controller system, such as attacks "denial of service" and interference with PC systems that perform PLC functions.
The vulnerabilities described were discovered by Positive Technologies experts and subsequently fixed by CODESYS. However, not all device users quickly install updates, so the risk of exploiting these vulnerabilities remains. Attackers may not even need authorization, it is enough to have only network access to the industrial controller. The company's software is used to develop its own PLCs by more than 15 developers around the world, including WAGO, Beckhoff, Kontron, Moeller, Festo, Mitsubishi and HollySys. Six vulnerabilities identified by our experts have a critically high level of danger (10 out of 10 points on the CVSS 3.0 scale), three - a high level of danger (8.8 points), another received a rating of 5.3. The added PT ISIM expertise package will detect attempts to exploit these vulnerabilities in the WAGO PLC and the CODESYS industrial automation software.
The PT ISIM examination package includes rules that allow detecting malicious activity using vulnerabilities in WAGO PFC200 controllers and CODESYS software, including:
- exploitation of vulnerabilities in the CODESYS Control V2 communication system, which allows embedded PC systems to perform PLC functions (CVE-2021-30186, CVE-2021-30188);
- obtaining access to the file system of the controller with read and modification rights (CVE-2021-21001);
- Denial of service for the iocheckd service to check PLC inputs and outputs and display its configuration (CVE-2021-21000).
According to us, in the first to data quarter of 2021, 11% of attacks were directed at industrial companies. They are second after attacks on. state institutions Attackers carefully monitor information vulnerabilities and try to use them in their attacks as soon as possible, especially if these vulnerabilities have a large range of applicability, as in this case, - said Roman Krasnov, an expert on information security industrial systems at Positive Technologies. - Upgrading ON industrial systems to address safety concerns is always a challenge, and sometimes impossible, in the face of the need to maintain business continuity. Therefore, it is important to provide equally continuous safety monitoring APCS with Industrial NDR Cyber attack. never occurs instantly, and it is important to detect traces of preparation for it in time, and therefore prevent it in a timely manner. |
This examination package complements the PT ISIM industrial cyber threat indicator base PT ISTI, which contains as of September 2021 more than 4,000 indicators and rules for detecting various attacks on ABB, Emerson, Hirschmann, Schneider Electric, Siemens, Yokogawa and other APCS manufacturers.
Loading Expertise Packages to Identify Vulnerabilities in Cisco and VxWorks
On June 17, 2021, the company Positive Technologies announced the download of an expertise package for the PT Industrial Security Incident Manager deep industrial traffic analysis system, which allows you to identify attempts to exploit vulnerabilities in products Cisco operating system and real time, VxWorks which is used in two billion devices - in mechanical engineering industrial automation,,, and to robotics to medicine aerospace.
Vulnerabilities discovered in VxWorks and combined under the general name URGENT/11 allow, among other things, the implementation of Remote Code Execution, which poses a serious security risk to numerous VxWorks-based devices. According to Armis experts, at least 200 million devices were vulnerable to URGENT/11 in 2019.
These PT ISIM examination packages include indicators and rules that allow you to detect malicious activity using vulnerabilities in VxWorks and Cisco software, including:
- Buffer overflow in IPv4, VxWorks packet parsing (CVE-2019-12256)
- TCP connection denial of service caused by incorrect TCP option configuration, VxWorks (CVE-2019-12258)
- exploitation of the state confusion vulnerability in the TCP importance index that occurs during a connection to a remote node, VxWorks (CVE-2019-12261);
- exploitation of vulnerabilities in Cisco Prime Infrastructure, Cisco Evolved Programmable Network (CVE-2018-15379, CVE-2019-1821).
Industry has been in second place in the list of the most frequently attacked industries for two years. In the last quarter of 2020, the aircraft manufacturers Embraer and Foxconn (buyout amounts from $15 to $34 million), an energy company in India, and SCADA systems for managing water supply in Israel were hit by professional ransomware . In 2021, a number of major incidents have already occurred, including a high-profile cyber attack on the American company Colonial Pipeline. And these are just public cases. Such incidents once again indicate the need to apply relevant approaches and solutions to timely identify information security threats in industrial infrastructures, ― notes Roman Krasnov, an expert on information security of industrial systems at Positive Technologies. |
The expert examination packages complement the PT ISIM industrial cyber threat indicator base PT ISTI, which contains more than 4,000 indicators and rules for detecting various attacks on ABB, Emerson, Hirschmann, Schneider Electric, Siemens, Yokogawa and other APCS manufacturers.
Compatibility of PT ISIM netView Sensor 2.4.5482 with Astra Linux Special Edition "Smolensk" 1.6
Positive Technologies on June 10, 2021 announced that the PT Industrial Security Incident Manager (PT ISIM) deep technology traffic analysis system is compatible with the Astra Linux Special Edition operating system. The combined solution will allow Russian companies in the technological sector to use the tested complex based on modern domestic software to analyze the traffic of APCS networks, search for traces of information security violations and cyber attacks.
The Astra Linux special-purpose operating system is among the most common operating systems on the Russian market in the public sector: in 2020, the system crossed the milestone of 1 million licenses.
"Previously, PT ISIM was installed only on the Debian operating system by default. The ability to work on the basis of the Astra Linux operating system allows you to ensure compliance with regulatory requirements regarding the transition to domestic software and deploy PT ISIM on the servers of state and system-forming industrial enterprises of the Russian Federation, the Republics of Belarus and Kazakhstan, which are actively switching to Astra Linux, "said Dmitry Darensky, head of industrial cybersecurity practice Positive Technologies. |
Astra Linux is the official derivative of Debian, which was created as part of the Russian initiative to switch to free software. According to forecasts of OS developers, by 2025 the number of installations of Astra Group products should exceed 6 million.
Both products are included in the unified register of Russian software, and the correctness of their joint work was checked by specialists from Positive Technologies and Astra Linux during the tests. The testing involved Astra Linux Special Edition release "Smolensk" version 1.6 and Positive Technologies Industrial Security Incident Manager (YeVRG.620129000.ISIM-02) netView Sensor version 2.4.5482.
Integration with the I&T Bastion system of SCDPU NT
Positive Technologies on February 24, 2021 announced that, together with iT Bastion, they agreed on a technological partnership in the field of protecting industrial networks. The first joint project was the integration of the PT Industrial Security Incident Manager deep analysis of technological traffic with the access control system of privileged users "SKDPU NT."
The joint use of the products of Positive Technologies and iT BASTION will help increase the security of the accounts of operators of critical information systems (this is especially true during mass remote work), as well as the accounts of those specialists who manage the technological process at geographically distributed industrial enterprises.
According to Positive Technologies, more than 200,000 components of various kinds of engineering systems (APCS) are available on the Internet. Remote access to process networks is used for monitoring, control, diagnostics and adjustment. This is convenient and allows you to quickly solve the necessary problems, reducing logistics costs . In a global pandemic, remote access has become even more in demand.
At the same time, remote access also raises serious risks to the security of the enterprise: credentials for access to the APCS network can be transferred to third parties or stolen, and personal computers of users from whom remote access is made can be infected with malware. In addition, remote access to the technological network can be organized (intentionally or accidentally) bypassing the implemented security system.
The lack of proper control over remote access to APCS can lead to serious consequences, - notes Roman Krasnov, expert on information security of industrial systems at Positive Technologies. - For example, to a complete shutdown of the technological process due to the spread of the ransomware virus or targeted sabotage, theft of trade secrets, to malicious manipulation of technological process parameters in order to steal a share of raw materials or yield. In conditions when it is impossible to control the computers of remote users directly, systems for analyzing traffic of APCS networks and means for monitoring the actions of privileged users connected to the APCS network come to the rescue. |
The joint solution of Positive Technologies and iT BASTION to control remote access to APCS allows:
- organize a single point of entry into the APCS network for remote users - the "SCADA NT" gateway;
- identify illegitimate connections bypassing the SKDPU NT gateway and notify the information security specialist about them in time;
- log the interaction of remote users with APCS equipment (change of PLC designs and configurations, change of PLC operation modes, etc.);
- detect traces of malware penetration into the APCS network through remote connections;
- detect traces of compromise of the APCS network through remote connections;
- Assess the activity of connected users, detect anomalies in their actions, and signal security policy violations
- Store a complete copy of user session traffic for audit and investigation.
Users receive remote access to the APCS network only through the central gateway or several gateways of SCDPU NT in a distributed IT infrastructure, - explains Dmitry Mikheev, technical director of iT BASTION. - In turn, PT ISIM provides the NP MCDS gateway with data on all registered connections within the network. This allows, at the gateway level, to identify those connections that are not controlled by the gateway and notify the information security engineer about them. Users can be any specialists (information security service employees, operators and engineers of APCS, etc.) whose remote access needs to be controlled. |
Both products are included in the unified register of Russian software, and the correctness of their joint work was checked by specialists from Positive Technologies and iT BASTION during the tests.
2020
PT ISIM 3.0 with updated engine
Another version of the PT ISIM deep traffic analysis system has been released. Positive Technologies announced this on November 13, 2020.
Among the changes is another engine, regular replenishment of the expert base and improvements in the user interface.
The PT Industrial Security Incident Manager (PT ISIM) engine provides higher performance and advanced capabilities for in-depth analysis of industrial protocols and technology network traffic. In addition to increasing overall performance and accelerating individual scenarios with PT ISIM 3.0, you can solve more complex problems of detecting anomalies and security violations and more quickly gain up-to-date knowledge of threats from Positive Technologies experts.
This version supports the practice started by the vendor to regularly replenish the product knowledge base with additional examination packages with current detection rules and industrial threat indicators.
PT ISIM 3.0 also received an updated user interface that allows you to investigate traffic analysis results, as well as more flexibly manage product performance parameters.
PT ISIM belongs to the class of industrial NTA-systems (network traffic analysis) - systems for deep analysis of traffic of technological networks - provides detection of signs of an attack on the technological network of an enterprise by various methods, and also provides additional opportunities for analyzing incidents, enriching their context and response.
As technology networks become an integral part of the enterprise's overall IT infrastructure, the risk of an attacker entering them becomes high. It is necessary to fully monitor the situation in the APCS network in 24/7 mode, to be able to find threats retrospectively, restoring the chronology of the incident. Parsing only industrial protocols in order to search for illegitimate control commands becomes insufficient. It is necessary not only to detect the exploitation of the vulnerability or send an illegitimate team to the PLC - the APCS traffic analysis system should help answer many other important questions: "if there was an attempt at an attack, did it succeed?," "Are there signs of further development of the attack?" ― notes Roman Krasnov, an expert on information security of industrial systems Positive Technologies. |
In August 2020, PT ISIM was tested in the certification system of the FSTEC of Russia. Certificate No. 4182 is valid until December 9, 2024.
Expertise package that allows you to identify the exploitation of vulnerabilities in the Windows Remote Desktop Service, Cisco switches and MikroTik routers
PT Industrial Security Incident Manager (PT ISIM) has another examination package that allows departments INFORMATION SECURITY to detect attempts to exploit vulnerabilities in,,, the routers MikroTik switchboards Cisco service (remote desktop Remote Desktop Protocol, RDP) Windows and other Windows components. This was announced on October 29, 2020 by the company. Positive Technologies
Most of these vulnerabilities allow Remote Code Execution, making them one of the most dangerous OWASP threats. The ability to remotely execute code on the server causes the resource to be hacked 100% of the time.
With the onset of the pandemic, attackers began to pay more attention to industrial facilities. According to our observations, in the second quarter, the share of attacks on real sector enterprises increased from 10% to 15%. Ransomware operators and cyber espionage APT groups are of the greatest interest, which exploit not only specific vulnerabilities in application software and technological equipment, but also vulnerabilities in network equipment and Windows operating systems that are common in industrial automation systems, ― said Dmitry Darensky, head of industrial cybersecurity practice Positive Technologies. |
One of the vulnerabilities identified by PT ISIM is known as BlueKeep. According to the Positive Technologies Security Center (PT Expert Security Center), at the end of March 2020, it met in more than 10% of open remote desktops and allowed an attacker to gain full control over a Windows-based computer.
This examination package makes it possible to identify remote code execution through Windows DNS server and Windows SMBv3, attempts to remotely install a vulnerable version of MikroTik RouterOS software, buffer overflow in Cisco switches and other threats.
This is the third examination package in PT ISIM. Previously, rules were published to detect attempts to exfiltrate data and tunnel connections from APCS, as well as specialized threat indicators for B&R Industrial Automation equipment and systems.
The examination packages complement the PT ISIM industrial cyber threat indicator base PT ISTI, which contains more than 4,000 signatures and rules for detecting various attacks on ABB, Emerson, Hirschmann, Schneider Electric, Siemens, Yokogawa and other manufacturers of APCS systems as of October 2020.
Compatibility with Oreol Security ProfiDiode
On August 6, 2020, it was known that traffic APCS the PT Industrial Security Incident Manager (PT ISIM) network analysis system data ProfiDIODE and the company's unidirectional transfer device Oreol Security were tested for compatibility. More. here
The ability to replenish the knowledge base with information security expertise packages
The base of indicators of the industrial cyber threats software and hardware complex for deep analysis of technological traffic PT Industrial Security Incident Manager (PT ISIM) can now be replenished with examination packages. INFORMATION SECURITY This was announced on August 4, 2020 by the company. Positive Technologies The first expert package is already available for users to download. It includes rules for detecting threats to the Austrian the company's equipment and systems, B&R Industrial Automation which are applied in,, oil and gas mining processing industries and other industries.
The key characteristic of industrial traffic analysis systems is the amount of unique expert knowledge embedded in them. Over the past few years, we have been constantly working to increase the volume and quality of expertise available to users in our products, - comments Roman Krasnov, expert on information security of industrial systems at Positive Technologies. - The inclusion of up-to-date information about the vulnerabilities and latest techniques of attackers, as well as the timely delivery of our developments to PT ISIM, including using examination packages, are the most important elements in increasing the level of security of our customers' industrial systems. |
The first review package includes specialized threat indicators for B&R Industrial Automation (X20 series PLC and APROL process management systems) equipment and systems. They will help information security specialists working with PT ISIM to identify in traffic signs of exploitation of vulnerabilities in the entire B&R protocol stack (ANSL, INA2000, IOSHTTP, IOSYS, etc.) and detect potentially dangerous equipment management commands manufactured by B&R Industrial Automation. Timely detection of such activity will prevent unauthorized changes in the APCS operating modes and prevent the occurrence of emergency situations.
The examination package complements the PT ISIM industrial cyber threat indicator base PT ISTI. It contains as of August 2020 more than 4,000 signatures and rules for detecting various attacks on common ABB, Emerson, Hirschmann, Schneider Electric, Siemens, Yokogawa, etc. The PT ISTI base is regularly supplemented by a team of experts on the safety of industrial control systems Positive Technologies.
The release of expert packages is planned monthly.
2019: Magelis iPC-based PT ISIM View Sensor
On March 13, 2019, Schneider Electric and Positive Technologies announced the conclusion of an agreement on a technological partnership in the development of joint solutions for the protection of APCS. The joint software and hardware complex will be built on the basis of the PT Industrial Security Incident Manager View Sensor product and the Magelis iPC industrial industrial computer. The solution will allow detecting cyber attacks, unauthorized actions of personnel and intruders without having an undesirable impact on the technological process, and will be able to be used in difficult climatic and technological operating conditions.
"The product will work as part of modern Schneider Electric solutions designed for automation of digital fields (Smart Field). Such fields, which have a high level of automation of technological processes, make it possible to bring to a higher level the efficiency of oil and gas production, increase efficiency and reduce the downtime of wells and other production facilities. The PAC under development will be able to work as part of systems based on a wide range of industrial controllers, including with Modicon M580, which will ensure the cybersecurity of production facilities. The solution is being developed in Russia, so all the most value-added components (software, engineering, information security services) are being developed and will be implemented by Russian engineers. " |
As noted in Schneider Electric, digital fields can reduce the cost of operation of fields by an average of 20% (according to EnergySys). Companies are making significant savings with smart technology. Digitalization increases the profitability of the oil and gas industry, but requires the use of modern means of protecting critical infrastructure from cyber threats. According to a study by Positive Technologies, back in 2018, the number of APCS components in Russia available from the Internet increased by about one and a half times. The number of vulnerabilities that can be exploited remotely without the need for privileged access is also growing. According to Positive Technologies estimates, in 2019 − 2020, the information security market for APCS will exceed 2 billion rubles.
According to the developers, the presented system can be used to monitor cyber incidents both in the oil and gas sector, as well as in industrial production, metallurgy and other industries. The hardware, built on the basis of Magelis iPC, is designed for operation in tough industrial conditions and combines compactness and high efficiency. The Magelis iPC OEM version of the PT ISIM View Sensor supports proprietary Schneider Electric protocols and is compatible with other company technologies.
According to information for March 2019, the software and hardware complex is being tested at the Moscow competence center Positive Technologies and the Schneider Electric laboratory in Innopolis (Tatarstan). The first deliveries are expected in the first or second quarters of 2019.
2018
PT ISIM netView Sensor on iROBO
On November 20, 2018, Positive Technologies announced the release, together with the IPC2U to the market, of the PT ISIM netView Sensor software and hardware complex on the iROBO platform, designed to protect small and medium-sized businesses from cyber threats. According to the company, the solution meets the requirements in the field of industrial reliability, including a high level of fault tolerance, can be used in difficult climatic conditions.
The PT ISIM netView Sensor software and hardware complex is made on the basis of the iROBO-6000-320-W industrial high-performance computer, the main applications of which are industrial automation in the power, mechanical engineering, transport and other industrial spheres. In this design assembly, the PT ISIM netView Sensor performs its key tasks - monitoring the process network, monitoring the network composition and configurations of network nodes, managing events and security incidents in the process segment - without affecting the process. As of November 2018, the complex was tested, based on their results, the correct operation of its hardware and software components was confirmed.
Through our collaboration with IPC2U, a distributor of industrial automation tools and a domestic manufacturer of industrial computers and network equipment, our customers will be able to purchase a complete product that can be easily deployed and immediately used to control cybersecurity incidents. |
Building a complex based on a hardware platform assembled in Russia is an important step for the domestic industrial automation market. Vladimir Shestyrev, Head of Industrial Computers at IPC2U |
As of November 2018, the solution is available in the retail retail and representative network of IPC2U and a specialized online store.
PT ISIM freeView Sensor
On September 10, 2018, it became known that the company Positive Technologies has expanded its line of products designed to solve the problems of the industrial, cyber security lightweight version of the PT Industrial Security Incident Manager ― PT ISIM freeView Sensor system. The product is designed to solve basic monitoring tasks. INFORMATION SECURITY APCS
Provision INFORMATION SECURITY in APCS is associated with a lot of questions. For example, it is necessary to define roles and areas of responsibility, update data about the APCS network, assess its security, find the necessary protection tools and justify their purchase. At the same time, the use of standard information security tools (for example,) antiviruses due to the specifics of APCS can be difficult, and specialized tools − not available to a wide range of users: they cannot always be tested in practice, so their usefulness remains unclear. PT ISIM freeView Sensor, being a tool for inventory of the APCS network and monitoring the cyber security of its resources, helps to overcome this barrier and launch the progressive development of the enterprise IC information security program. Denis Sukhanov, Director of Industrial System Security, Positive Technologies
|
PT ISIM freeView Sensor is provided as a virtual machine that connects to the Mirror (SPAN) port of the APCS network switch. The system processes a copy of the APCS network traffic without affecting its components.
"" Key tasks that the daily use of PT ISIM freeView Sensor solves:
- inventory of APCS network assets: the system allows visualization of network topology with nodes, connections, groups of nodes;
- monitoring of information interaction in APCS: among other things, the system training mode is provided, when it remembers all network nodes and interactions between them, causes incidents on network anomalies, etc.;
- Detection of network and industrial attacks, as well as cases of unauthorized management;
To receive feedback from users of the system and answers to questions that arise during its use, specialized information platforms have been created: the product community and Telegram chat.
In addition to solving a number of basic problems, PT ISIM freeView gives the user the opportunity to gain the experience necessary to more effectively work with commercial versions of the PT Industrial Security Incident Manager system. They are distinguished by full technical support, a larger number of supported protocols, expanded capabilities for integration with external systems (including industry-specific ones). Commercial versions of the system have the ability to analyze traffic, taking into account the peculiarities of a specific industrial facility, allow you to see the current at any time picture of network objects on the mnemonic diagram of the technological process, Customize attack detection scenarios for a specific site, can act as a source of security incident information within the industrial SOC, and is a key component that implements the safety requirements of regulators for the process segment.
The commercial versions of PT Industrial Security Incident Manager include the constantly replenished base of industrial cyber threats − PT Industrial Security Threat Indicators (PT ISTI). It allows the system to detect up to 80% of the most dangerous and current threats to the APCS network without additional configuration. Among them - preparation for cyber attacks on APCS software and equipment at an early stage, shortcomings in setting up systems, reaching technological parameters beyond normal values, using potentially unsafe means of network interaction and unauthorized commands for controlling APCS equipment. The threat base helps proactively identify vulnerabilities in the APCS network, including those exploited by ransomware viruses and other malware.
PT ISIM netView Sensor
On July 11, 2018, the company Positive Technologies released an updated version of its control system ― cyber security APCS PT Industrial Security Incident Manager netView Sensor (PT ISIM netView Sensor). The product is easy to deploy and configure. The solution is applicable for detecting cybersecurity incidents in the industry, to power oil processing industrial production, and transport other industrial areas.
PT ISIM netView Sensor monitors the process network, monitors the network composition and configuration of network nodes, manages security events and incidents in the process segment. The system can operate as a source of safety incident information within a distributed industrial SOC and is a key component implementing safety requirements imposed by regulators on the process segment.
According to Positive Technologies, PT ISIM netView Sensor makes it much easier to implement and provide information security - it is extremely easy to deploy through automatic configuration and allows you to identify up to 80% of the most dangerous and current threats to the APCS network. In the first hours of the PT self-learning process, ISIM netView Sensor will perform a network resource inventory, build an information interaction map, discover segmentation flaws, and take on the task of monitoring the security of enterprise technology resources. In continuous monitoring mode, the component will detect network changes and will be able to identify potential threats to APCS.
APCS testing for compatibility with Simatic NET1
On June 26, 2018, Positive Technologies announced that it, together with Siemens, had tested Positive Technologies' PT Industrial Security Incident Manager (PT ISIM) cybersecurity monitoring and incident management system for compatibility with Simatic NET1 networks. During the PT tests, ISIM demonstrated correct operation at the stages of connection and operation of the stand and did not affect the technological process in any way.
The APCS test network was built on the basis of the Scalance and Ruggedcom switches manufactured by Siemens. The PT ISIM system was connected to the traffic mirroring interfaces of the APCS test network through the AMT Group unidirectional data gateway. The PT ISIM testing evaluated the possibilities of detecting security events and incidents, as well as the actions of violators.
Based on the results of the tests, the declared functions of monitoring the security and managing cybersecurity incidents were confirmed. The system correctly analyzed and analyzed test traffic, generating a clear list of events and incidents. At the same time, the most important requirement was met - the successful operation of the data diode as part of the solution and the lack of PT ISIM traffic in the Simatic NET network: data was collected completely in passive mode.
Ensuring information security at industrial facilities is not an easy task. Enterprises do not have time to eliminate vulnerabilities for many objective reasons, including concerns about the continuity of the technical process. Little where the "air gap" is also effective. As our research shows, in four out of five companies it is possible to penetrate from a corporate network into a technological one, and pentsters manage to get into a corporate network from outside 73% of industrial companies. The compatibility of PT ISIM with Siemens solutions, the most common in the APCS segment, allows many enterprises to solve the current problem of detecting incidents and cyber attacks. |
2017: Compatibility tested
On December 11, 2017, the company Positive Technologies announced PT ISIM testing for compatibility APCS with the company. ""Prosoft Systems
The incident management system cyber security has been tested for compatibility with APCS based on CAS ARIS and. RedKit SCADA
The use of PT ISIM as part of the ARIS CAS allows you to provide functionality for detecting cyber attacks and managing cybersecurity incidents in real time without directly interfering with the operation of the APCS. During the tests, it was confirmed that the use of PT ISIM as part of the ARIS CAS ensures the implementation of a certain list of technical measures for APCS protection in accordance with the requirements of Order No. 31 of the FSTEC.
2016
PT ISIM and AMT Group: InfoDiode Integrated
In April 2016, Positive Technologies and AMT GROUP announced the successful testing of a joint solution to protect critical infrastructures and industrial enterprises, created on the basis of Positive Technologies Industrial Security Incident Manager and AMT Groups: InfoDiode.
The solution provides the ability to protect the APCS segment without affecting its functional safety. In particular, PT ISIM allows you to detect cyber attacks or illegal actions of personnel, vulnerabilities of APCS components and conduct incident investigations. And integration with InfoDiode AMT is guaranteed to exclude the possibility of negative impact on the APCS segment due to the isolation of PT ISIM and unidirectional data transmission.
The principle of operation of PT ISIM is to collect and analyze a copy of the traffic of the technological network. The intelligent event processing mechanism used by PT ISIM allows you to link individual security events in an attacker's action chain and identify time-distributed attacks (even over long periods) by notifying employees on the ground or in the situation center of an incident. And thanks to the visualization function, the system presents the incident in a visual, user-friendly form: with reference to the network topology and the scheme of industrial equipment. A saved copy of the traffic makes it possible to conduct a retrospective analysis and investigation of the incident at any time.
In the joint scheme, the protection of the perimeter of the APCS segment, the information of which is transmitted for analysis, is implemented on the basis of the AMT InfoDiode solution. This ensures the isolation of the process network segment and eliminates the impact of the protection means on functional safety.
System announcement
In the spring of 2016, Positive Technologies launched a system designed to protect automated process control systems (APCS) - Positive Technologies Industrial Security Incident Manager (PT ISIM). The system allows you to detect vulnerabilities and hacker attacks on the technological networks of the enterprise, as well as investigate incidents (including retrospectively) at critical facilities. PT ISIM helps to combat internal and external security threats, including unauthorized connection, password selection, illegal control commands, industrial equipment firmware substitution, potentially dangerous personnel actions, configuration errors. PT ISIM is already included in the product portfolios of authorized partners of Positive Technologies.
"We started to create a product aimed at ensuring industrial cybersecurity in 2014. We were acutely aware of the need for such a solution based on the results of our research work in APCS networks in companies of various industries. In particular, our research center found more than 140,000 ACS components available from the Internet, 10% of which were vulnerable. We identified over 250 zero-day vulnerabilities in ACS systems, despite the fact that the system owners themselves did not even suspect how vulnerable these resources were, "says Filippov Maxim, director of Positive Technologies for Business Development in Russia. - Having accumulated all our technical potential and experience, in a year and a half - by the middle of 2015 - we developed the first version of the product, having tested it on the pilot zone of one of the industry-forming domestic companies. Over the past six months, a product from custom development in the interests of a narrow range of companies has grown into an industrial solution, the pre-release version of which we demonstrated to our partners in February this year. "
PT ISIM has a built-in correlation mechanism that links security events into logical chains and detects time-distributed attacks. The chain grows as the attack develops (sometimes lasting months), each event of which may not pose a threat separately. Thanks to this, it becomes possible to restore the full picture of what happened when a malicious code was suspected of hacking or infecting the system.
The visualization function implemented in PT ISIM allows you to visually display incidents on the industrial map of the enterprise with reference to specific equipment. Also, the system automatically notifies ACS operators and security specialists about the incident - with different depth of detail, in accordance with their authority.
By connecting PT ISIM to the enterprise infrastructure in a unidirectional way, any impact of the system on the technological process is completely eliminated: it works exclusively in passive mode, collecting a copy of traffic for analysis.
"PT ISIM is a practical implementation of our approach to protecting automated control systems. Conceptually important in this case is, firstly, the formation of attack chains as a powerful means of countering time-distributed threats. Secondly, visualization of attacks on business logic to correctly interpret the events of the system. And, thirdly, non-interference in the technological process due to the passive mode of operation, - said Oleg Matykov, head of Positive Technologies. - At the same time, different interfaces are created for different industries, and with each PT implementation, ISIM adapts to the real operating environment - typical protocols, architecture, correlation rules and equipment. The effectiveness of detecting attacks with this approach increases significantly. "
Pilot implementations have been launched in the transport industry and the fuel and energy complex, work is underway to adapt the product to the specifics of other industries.